proxy add mta-sts

docs/post_installation/reverse-proxy/r_p-apache24.de.md

@@ -15,6 +15,7 @@ Let's Encrypt wird unserem Rewrite folgen, Zertifikatsanfragen in mailcow werden
   ServerName ZU MAILCOW HOSTNAMEN ÄNDERN
   ServerAlias autodiscover.*
   ServerAlias autoconfig.*
+  ServerAlias mta-sts.*
   RewriteEngine on
 
   RewriteCond %{HTTPS} off
@@ -30,6 +31,7 @@ Let's Encrypt wird unserem Rewrite folgen, Zertifikatsanfragen in mailcow werden
   ServerName ZU MAILCOW HOSTNAMEN ÄNDERN
   ServerAlias autodiscover.*
   ServerAlias autoconfig.*
+  ServerAlias mta-sts.*
 
   # You should proxy to a plain HTTP session to offload SSL processing
   ProxyPass /Microsoft-Server-ActiveSync http://127.0.0.1:8080/Microsoft-Server-ActiveSync connectiontimeout=4000

docs/post_installation/reverse-proxy/r_p-apache24.en.md

@@ -15,6 +15,7 @@ Let's Encrypt will follow our rewrite, certificate requests in mailcow will work
   ServerName CHANGE_TO_MAILCOW_HOSTNAME
   ServerAlias autodiscover.*
   ServerAlias autoconfig.*
+  ServerAlias mta-sts.*
   RewriteEngine on
 
   RewriteCond %{HTTPS} off
@@ -30,6 +31,7 @@ Let's Encrypt will follow our rewrite, certificate requests in mailcow will work
   ServerName CHANGE_TO_MAILCOW_HOSTNAME
   ServerAlias autodiscover.*
   ServerAlias autoconfig.*
+  ServerAlias mta-sts.*
 
   # You should proxy to a plain HTTP session to offload SSL processing
   ProxyPass /Microsoft-Server-ActiveSync http://127.0.0.1:8080/Microsoft-Server-ActiveSync connectiontimeout=4000

docs/post_installation/reverse-proxy/r_p-caddy2.de.md

@@ -12,7 +12,7 @@ Bspw:
 
 ``` hl_lines="1 3 13"
 
-MAILCOW_HOSTNAME autodiscover.MAILCOW_HOSTNAME autoconfig.MAILCOW_HOSTNAME {
+MAILCOW_HOSTNAME autodiscover.MAILCOW_HOSTNAME autoconfig.MAILCOW_HOSTNAME mta-sts.MAILCOW_HOSTNAME {
         log {
                 output file /var/log/caddy/MAILCOW_HOSTNAME.log {
                         roll_disabled

docs/post_installation/reverse-proxy/r_p-caddy2.en.md

@@ -11,7 +11,7 @@ In the caddyfile you just have to create a section for the mailserver.
 For example
 ``` hl_lines="1 3 13"
 
-MAILCOW_HOSTNAME autodiscover.MAILCOW_HOSTNAME autoconfig.MAILCOW_HOSTNAME {
+MAILCOW_HOSTNAME autodiscover.MAILCOW_HOSTNAME autoconfig.MAILCOW_HOSTNAME mta-sts.MAILCOW_HOSTNAME {
         log {
                 output file /var/log/caddy/MAILCOW_HOSTNAME.log {
                         roll_disabled

docs/post_installation/reverse-proxy/r_p-nginx.de.md

@@ -9,13 +9,13 @@ Let's Encrypt folgt unserem Rewrite, Zertifikatsanfragen funktionieren problemlo
 server {
   listen 80 default_server;
   listen [::]:80 default_server;
-  server_name ZU MAILCOW HOSTNAMEN ÄNDERN autodiscover.* autoconfig.*;
+  server_name ZU MAILCOW HOSTNAMEN ÄNDERN autodiscover.* autoconfig.* mta-sts.*;
   return 301 https://$host$request_uri;
 }
 server {
   listen 443 ssl http2;
   listen [::]:443 ssl http2;
-  server_name ZU MAILCOW HOSTNAMEN ÄNDERN autodiscover.* autoconfig.*;
+  server_name ZU MAILCOW HOSTNAMEN ÄNDERN autodiscover.* autoconfig.* mta-sts.*;
 
   ssl_certificate MAILCOW_PATH/data/assets/ssl/cert.pem;
   ssl_certificate_key MAILCOW_PATH/data/assets/ssl/key.pem;
@@ -61,4 +61,4 @@ server {
 Beim Einsatz eines Proxys in einem anderen Subnetz müssen Sie die folgende Umgebungsvariable in die mailcow.conf einfügen, damit der nginx-Container die oben gesetzte X-Real-IP akzeptiert.
 ```
 TRUSTED_PROXIES=#.#.#.#
-```
+```

docs/post_installation/reverse-proxy/r_p-nginx.en.md

@@ -9,13 +9,13 @@ Let's Encrypt will follow our rewrite, certificate requests will work fine.
 server {
   listen 80 default_server;
   listen [::]:80 default_server;
-  server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.*;
+  server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.* mta-sts.*;
   return 301 https://$host$request_uri;
 }
 server {
   listen 443 ssl http2;
   listen [::]:443 ssl http2;
-  server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.*;
+  server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.* mta-sts.*;
 
   ssl_certificate MAILCOW_PATH/data/assets/ssl/cert.pem;
   ssl_certificate_key MAILCOW_PATH/data/assets/ssl/key.pem;
@@ -61,4 +61,4 @@ server {
 When using a proxy on a different subnet you will need to add the following environment variable to the mailcow.conf to have the nginx container accept the X-Real-IP set above.
 ```
 TRUSTED_PROXIES=#.#.#.#
-```
+```

docs/post_installation/reverse-proxy/r_p-traefik3.de.md

@@ -16,7 +16,7 @@ Dieses Tutorial erklärt, wie man mailcow mit Traefik als Reverse-Proxy einricht
 Traefik übernimmt den gesamten eingehenden Webverkehr und leitet die entsprechenden Anfragen an mailcow weiter. Diese Konfiguration ermöglicht es Traefik:
 
 - SSL-Zertifikate zu verwalten
-- Autodiscover- und Autoconfig-Dienste bereitzustellen
+- Autodiscover-, Autoconfig- und MTA-STS-Dienste bereitzustellen
 - Die Frontend-Benutzeroberfläche zu bedienen
 - ACME-Challenge-Antworten für die Zertifikatsvalidierung des Mail-Servers zu übernehmen
 
@@ -62,6 +62,13 @@ SKIP_LETS_ENCRYPT=y
           tls:
             certResolver: cloudflare
 
+        mailcow-mta-sts:
+          entryPoints: "websecure"
+          rule: "(Host(`mta-sts.domain.com`) && Path(`/.well-known/mta-sts.txt`))"
+          service: mailcow-svc
+          tls:
+            certResolver: cloudflare
+
       services:
         mailcow:
           loadBalancer:
@@ -107,6 +114,11 @@ SKIP_LETS_ENCRYPT=y
           - traefik.http.routers.mailcow-autoconfig.tls.certresolver=cloudflare
           - traefik.http.routers.mailcow-autoconfig.service=mailcow-svc
 
+          - traefik.http.routers.mailcow-mta-sts.entrypoints=websecure
+          - traefik.http.routers.mailcow-mta-sts.rule=Host(`mta-sts.domain.com`)&& Path(`/.well-known/mta-sts.txt`)
+          - traefik.http.routers.mailcow-mta-sts.tls.certresolver=cloudflare
+          - traefik.http.routers.mailcow-mta-sts.service=mailcow-svc
+
           - traefik.http.routers.mailcow.entrypoints=websecure
           - traefik.http.routers.mailcow.rule=Host(`mail.domain.com`)
           - traefik.http.routers.mailcow.tls=true
@@ -125,7 +137,7 @@ SKIP_LETS_ENCRYPT=y
 
 **Wichtige Hinweise zu dieser Konfiguration:**
 
-- Ersetzen Sie `mail.domain.com`, `autoconfig.domain.com` und `autodiscover.domain.com` durch Ihre tatsächlichen Domainnamen
+- Ersetzen Sie `mail.domain.com`, `autoconfig.domain.com`, `autodiscover.domain.com` und `mta-sts.domain.com` durch Ihre tatsächlichen Domainnamen
 - `entryPoints: "websecure"` - ersetzen Sie dies durch Ihren tatsächlichen Traefik-HTTPS-Entrypoint
 - `certResolver: cloudflare` - ersetzen Sie dies durch Ihren tatsächlichen Zertifikatsresolver
 

docs/post_installation/reverse-proxy/r_p-traefik3.en.md

@@ -62,6 +62,13 @@ SKIP_LETS_ENCRYPT=y
           tls:
             certResolver: cloudflare
 
+        mailcow-mta-sts:
+          entryPoints: "websecure"
+          rule: "(Host(`mta-sts.domain.com`) && Path(`/.well-known/mta-sts.txt`))"
+          service: mailcow-svc
+          tls:
+            certResolver: cloudflare
+
       services:
         mailcow:
           loadBalancer:
@@ -107,6 +114,11 @@ SKIP_LETS_ENCRYPT=y
           - traefik.http.routers.mailcow-autoconfig.tls.certresolver=cloudflare
           - traefik.http.routers.mailcow-autoconfig.service=mailcow-svc
 
+          - traefik.http.routers.mailcow-mta-sts.entrypoints=websecure
+          - traefik.http.routers.mailcow-mta-sts.rule=Host(`mta-sts.domain.com`)&& Path(`/.well-known/mta-sts.txt`)
+          - traefik.http.routers.mailcow-mta-sts.tls.certresolver=cloudflare
+          - traefik.http.routers.mailcow-mta-sts.service=mailcow-svc
+
           - traefik.http.routers.mailcow.entrypoints=websecure
           - traefik.http.routers.mailcow.rule=Host(`mail.domain.com`)
           - traefik.http.routers.mailcow.tls=true
@@ -125,7 +137,7 @@ SKIP_LETS_ENCRYPT=y
 
 **Important notes about this configuration:**
 
-- Replace `mail.domain.com`, `autoconfig.domain.com`, and `autodiscover.domain.com` with your actual domain names
+- Replace `mail.domain.com`, `autoconfig.domain.com` `autoconfig.domain.com`, and `mta-sts.domain.com` with your actual domain names
 - `entryPoints: "websecure"` - replace it with your actual Traefik https entrypoint
 - `certResolver: cloudflare` - replace it with your actual certificate resolver